summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authordavid2019-07-18 23:30:44 +0000
committeradmin2019-07-18 23:30:44 +0000
commita150e0ea498fa7e3ea34caae75a05c249fa0d990 (patch)
tree132daa212660fb0ce12b5ea34890def34bc4e248 /doc
parentba8c4b6ce6087fab465b6f1a33ecbcb72f5f5c27 (diff)
Added a comment: A first attempt
Diffstat (limited to 'doc')
-rw-r--r--doc/forum/How_to_make_P.Property.Firewall.rule_persistent/comment_1_0656133cfbc13b7369a74f351a9388c4._comment94
1 files changed, 94 insertions, 0 deletions
diff --git a/doc/forum/How_to_make_P.Property.Firewall.rule_persistent/comment_1_0656133cfbc13b7369a74f351a9388c4._comment b/doc/forum/How_to_make_P.Property.Firewall.rule_persistent/comment_1_0656133cfbc13b7369a74f351a9388c4._comment
new file mode 100644
index 00000000..06939eec
--- /dev/null
+++ b/doc/forum/How_to_make_P.Property.Firewall.rule_persistent/comment_1_0656133cfbc13b7369a74f351a9388c4._comment
@@ -0,0 +1,94 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="A first attempt"
+ date="2019-07-18T23:30:44Z"
+ content="""
+Here's what I came up with. I don't know if I'm missing some more obvious way. Thanks to Stefan Gronke on github for answering \"what's a simple way to make an iptables systemd service\"
+
+[[!format haskell \"\"\"
+module Propellor.Property.SiteSpecific.Tethera.Firewall (
+ iptablesRules
+ , iptablesUnits
+ , saved
+ ) where
+
+import Propellor.Base
+import Propellor.Property.Firewall
+-- import qualified Propellor.Property.Cmd as Cmd
+import qualified Propellor.Property.File as File
+
+iptablesRules :: [Port] -> [Port] -> Property DebianLike
+iptablesRules tcpPorts udpPorts = propertyList \"IPTables based firewall\" $ props
+ & installed
+ & rule INPUT Filter DROP (Ctstate [INVALID])
+ & rule INPUT Filter ACCEPT (InIFace \"lo\")
+ & rule OUTPUT Filter ACCEPT (OutIFace \"lo\")
+ & rule INPUT Filter ACCEPT (Ctstate [ESTABLISHED, RELATED])
+ & rule INPUT Filter ACCEPT (Proto ICMP)
+ & openPorts TCP tcpPorts
+ & openPorts UDP udpPorts
+ & rule OUTPUT Filter ACCEPT Everything
+ & rule INPUT Filter DROP Everything
+ & rule FORWARD Filter DROP Everything
+ where
+ openPorts proto lst = combineProperties \"open TCP ports\" $
+ toProps (map
+ (\p -> (rule INPUT Filter ACCEPT
+ ((Proto proto) :- (DPort p)) ))
+ lst)
+
+saved :: Property UnixLike
+saved = combineProperties \"iptables rules saved\" $ props
+ & cmdProperty \"iptables-save\" [\"-f\", rulesFile ]
+ `changesFile` rulesFile
+ `requires` File.dirExists rulesDir
+ & cmdProperty \"ip6tables-save\" [\"-f\", rules6File ]
+ `changesFile` rules6File
+ `requires` File.dirExists rulesDir
+ where
+ rulesDir = \"/etc/iptables\"
+ rulesFile = rulesDir ++ \"/iptables.rules\"
+ rules6File = rulesDir ++ \"/ip6tables.rules\"
+
+iptablesUnits :: Property UnixLike
+iptablesUnits = combineProperties \"systemd units for iptables\" $ props
+ & unitFile \"iptables\"
+ & unitFile \"ip6tables\"
+ where
+ unitDir = \"/etc/systemd/system\"
+ unitFile baseName = combineProperties (\"systemd units for \" ++ baseName) $ props
+ & File.hasContent (unitDir ++ \"/\"++baseName++\".service\")
+ [
+ \"[Unit]\"
+ , \"Description=Packet Filtering Framework\"
+ , \"DefaultDependencies=no\"
+ , \"After=systemd-sysctl.service\"
+ , \"Before=sysinit.target\"
+ , \"[Service]\"
+ , \"Type=oneshot\"
+ , \"ExecStart=/sbin/\"++baseName++\"-restore /etc/iptables/\"++baseName++\".rules\"
+ , \"ExecReload=/sbin/\"++baseName++\"-restore /etc/iptables/\"++baseName++\".rules\"
+ , \"ExecStop=/usr/local/bin/flush-\"++baseName++\".sh\"
+ , \"RemainAfterExit=yes\"
+ , \"[Install]\"
+ , \"WantedBy=multi-user.target\"
+ ]
+ & File.hasContent fipSh
+ [
+ \"#!/bin/sh\"
+ , \"iptables -F\"
+ , \"iptables -X\"
+ , \"iptables -t nat -F\"
+ , \"iptables -t nat -X\"
+ , \"iptables -t mangle -F\"
+ , \"iptables -t mangle -X\"
+ , \"iptables -P INPUT ACCEPT\"
+ , \"iptables -P FORWARD ACCEPT\"
+ , \"iptables -P OUTPUT ACCEPT\"
+ ]
+ & File.mode fipSh 0755
+ where
+ fipSh = \"/usr/local/bin/flush-\"++baseName++\".sh\"
+\"\"\"]]
+"""]]